I have a log file that my custom application uses named 'application.log'.

I want to set up a daemon that will monitor this file and scan for any errors marked CRIT and ignore the other DEBUG and WARN messages. The daemon should be easily configurable to work with other applications, so that the logging mechanism can be standardised across the network.

Furthermore, the software should be mature in the sense that it should have an extensive feature set. For example, the software should be intelligent enough to send multiple errors occurring within 30 seconds in one email rather than spamming duplicate notification events.

I was told that syslogd can be used to this effect? I am currently diving blindly into the documentation, but I would very much appreciate some guidance from an experienced sysadmin. ;-)

There's also a Nagios plugin called check_logfiles, which can scan logfiles for "incoming" occurences of regular expressions. The notificaiton mechanism is then part of Nagios.
–
Ulrich SchwarzFeb 11 '13 at 7:22

1 Answer
1

Rsyslog has a mail module, which I suppose you could use in conjunction with the file monitor, and probably learn some stuff about configuring rsyslog in the process, lol. Keep in mind that your logging is not part of syslog, which is why you would need to set it up to "monitor another file".

The application could use syslog directly, there is a native facility for this in *nix (or at least POSIX) and I think every programming language will have some interface to it. That means some recoding, of course, but if your logging is modular, you could have syslog as an option. If it isn't modular it should be ;)

Also, writing a monitor of this sort in something like perl or python would be very simple, I think, since languages like that will have very high level easy to set up email modules.

Thank you. I ended up using a log module provided with my application framework Zend_Log_Writer_Syslog to use the native syslog facility, which was so easy that I only needed to add a few lines to my configuration file! From there, it was simple to use Rsyslog's ommail module. All I needed to do was add a configuration file under /etc/rsyslog.d/. The file follows the general format of the sample given in the mail module documentation, except I filtered by $programname rather than $msg.
–
Damien BezborodovFeb 15 '13 at 3:34